7

I have an unrestricted DMZ that is currently set up with a non-critical/non-sensitive web server and database server inside. The database server gets interfaces from two critical systems but does not store any critical information. I am thinking that the database server should, at minimum, be behind a 2nd firewall. The DMZ should look like this:

Internet--Firewall--dmz--webserver--firewall--database server--LAN--Interfaces

Is this correct or am I over doing and over thinking the protection it needs? Also, should the connection to the web server, database server, and the database server's interfaces be SSL or would it just be SSL between the database server and it's interfaces? I'm always of a mind that more protection is better but am receiving pushback on this and I just want a neutral opinion.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Angie
  • 71
  • 3
  • Can you define/elaborate on "gets interfaces from two critical systems"? – k1DBLITZ Oct 01 '15 at 12:56
  • The database server is connected via ODBC (I'm trying to clarify if they mean TLS or SSL or VPN as well but it's not in the diagram) to two other systems for interfaces (file transfers) so it can update its tables. The interfaces come in twice a day, I believe. Both systems are within a restricted DMZ behind the LAN. Both contain PII and sensitive content. – Angie Oct 01 '15 at 13:30
  • Are you saying that the non-sensitive/non-critical database has PII on it? – Neil Smithline Oct 01 '15 at 16:18

3 Answers3

1

The non-critical database server doesn't necessarily need to be behind a second firewall, but it is recommended it reside in a separate DMZ, or a separate VLAN within the same DMZ (with ACL's in place) at a bare minimum.

If I'm understanding your explanation correctly, it sounds like the non-critical database server in the DMZ is connected via ODBC to the critical database servers on the LAN?

Which side is permitted to initiate communication through the firewall?

If the non-critical database server is allowed to initiate communication to the critical database servers on the LAN (to pull data), this is very bad.

If the critical database servers on the LAN are initiating communication to the non-critical database server (to push data) this is more preferred.

Without knowing the intimate details, I'm questioning why this non-critical database server needs to interface with critical database servers if it does not store any sensitive data?

Things to keep in mind:

If this non sensitive web application is vulnerable to SQL injection, the non-critical database will be compromised.

If the web server is compromised by vulnerability XYZ, it can be used as an attack point for the non-critical database server.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • Thanks for the response. The communication is one way from the critical systems to the database. I'm concerned about the ODBC connection because as far as I understand it's unsecure. The database contains the code for the web page. Could a hacker conceivably change the web page to ask for PII or other info from users or something worse? Also can a hacker use the database server as a conduit somehow to get to the critical systems on the LAN? The database server connects with the critical systems because the application is essentially a way for users to check status on their bills or retirement. – Angie Oct 01 '15 at 14:43
  • The users enter their account number on the webpage, the web server connects to the db server to access a table and a message just says something like 'Your bill is due in 10 days and is $55. If you have questions about your bill please contact customer service' The only info that is sent from the critical systems is the amount, account number and due date. The rest of the info - name, ssn, address, etc. is stored in the critical system. – Angie Oct 01 '15 at 14:47
  • I checked for HTML injections and the possibility of a DOS attack on the page. I confirmed each field has business rules and proper statements for bad input. I'm in process of requesting they add one of those people confirmers (forgot the name) where they enter a word to confirm they're not a robot and also implementing monitoring of the traffic on the page to ensure that if the baseline changes (up or down) by a certain percentage the team is notified. – Angie Oct 01 '15 at 15:03
  • Anything else I might need to look for? Sorry for the dumb-sounding answers, I'm security for an access database system that is entirely internal and was just assigned this web application that is public facing. I am kinda out of my element. – Angie Oct 01 '15 at 15:04
  • "People confirmers" are commonly referred to as Captchas. :) As for the webserver, ideally there would be a WAF (web application firewall) or HIDS (host based IDS) in place to help prevent and detect attacks. In this case though, it seems the cost to implement would be higher than the data worth protecting. It would serve the security posture well if the developers are following OWASP and SANS SWAT guidelines for secure coding. – k1DBLITZ Oct 05 '15 at 13:09
1

k1BLITZ answer addresses a key point - that is the need for the DMZ to only get inbound traffic. This will ensure that, should someone take over the servers in the DMZ, he won't be able to go further (to the LAN).

To address your other concerns:

  • if the DMZ web server is compromized, it can obviously display anything, including a request for your users to authenticate, provide sensitive details etc. So even if the integrity of the data is preserved on the LAN databases, they can still leak via the users.

  • do not try to reinvent the wheel. Use OWASP as your guide, notably in your case the section on SQL.

WoJ
  • 8,957
  • 2
  • 32
  • 51
1

Hate to be critical but I think it needs to be pointed out. First the solution to the problem is actually application centric and not network centric problem. Your method of the fix is based around the legacy port and process protection methods. It ignores the realities of your other attack surfaces.

First, depending on what type of firewalls you have their may be limited dpi (deep packet inspection) capabilities. Most vulnerabilities happen at the application layer and this the primary area of concern would be addressed at the application layer. Your primary surface area from the internet will be the web server. One thing that DPI will help with is limit the type of statements that can be executed against the server, unless the connection is encrypted from the web-server to DB.

Even if the resources are not critical or have sensitive data there is a level of impact if the DB is affected.

A solution that may be more secure based on the digram. Here is a quick foo stick diagram.

HTTP REQ-> endpoint_filter-> SQL-Statment-code->statement-filter>SQL_Connection_timer->foo

HTTP_RESP<-DPI<-Return Function<-foo -Length -filter N

I see to many companies get popped because of network centric thinking.

mtidaho
  • 41
  • 4